I am learning about IPsec's transport and tunnel modes. I understand that transport mode encrypts only the payload of an IP packet and is used for communication between two entities that both implement IPsec. I understand that tunnel mode encrypts the entire packet and is often used between two gateways (like firewalls at the edges of a network). I have two questions that I think are related:

Why does the header information have to be encrypted in tunnel mode?

If the header information is encrypted, how are packets routed? Don't headers contain information like: hey, send this packet to 2001:db8:85a3:8d3:1319:8a2e:370:7348. If the header is encrpyted, how is the packet routed?

4 Answers
4

It is not that the header has to be encrypted in tunnel mode; rather, if the header is not encrypted, it is not really a tunnel.

Tunnel mode is about having two routers linked together with an encrypted tunnel. They exchange packets for other hosts. Schematically, router A is the exit router for network netA, and router B is the exit router for network netB. A and B run an IPSec tunnel. Whenever a machine in network netA wants to send a packet to a machine in network netB, then that machine sends the packet to its exit router, i.e. router A. Router A sends the packet to router B within the tunnel. Router B receives the encrypted packet, but decrypts it upon reception, and discovers for which machine in netB the packet should be sent. Router B proceeds to send the packet to the final destination machine.

With the tunnel:

The source and destination machines which talk to each other don't need to be aware of IPSec; only the two routers at both ends of the tunnel.

Eavesdroppers on the link between routers A and B (i.e. the "bad people on the Internet") only see encrypted data and cannot even know which machine is talking to each machine, since the whole packet is encrypted, including header.

so an entirely encrypted packet is not really 'routed' (i.e. forwarded along routers in a network). A and B send totally encrypted packets directly to each other. The packets don't travel thru the internet like other packets (although packets might be routed within network A or B).
– bernie2436Apr 23 '13 at 23:27

The packets will still be routed through the Internet unless both of the routers are on the same local network.
– HammoApr 24 '13 at 1:17

@hammo so then the headers are of course not encrypted?
– bernie2436Apr 24 '13 at 21:42

@tomleek in tunnel mode is the entire original packet encrypted and then wrapped inside another packet with un-encrypted headers? Then the target gateway unencrypts the original packet?
– bernie2436Apr 24 '13 at 21:54

When used in tunnel mode IPsec treats the IP packet as a payload. Therefore, all this information is encrypted. In order to be routed correctly, the IPSec-enabled entity then build a new packet.

This IP packet is built to be send to the tunnel end, e.g. another IPSec gateway. So as to achieve this, the new IP packet will have a brand new IP-Header, with destination IP set to this particular equipment address. The rest of the packet will contain the traditional ESP data composed of a header, payload (the original packet) trailer and authentication data.

Here is a schematic of the packet and it's encapsulation into a tunnel-mode IPSec packet:

The main interest of the tunnel mode is to protect the (internal) addresses of a network. You can take as an example a company with two offices separated by X kilometres. Two IPSec gateway are setup and all traffic from one network to the other is encapsulated in the IPSec tunnel. The only thing visible by an outsider is that the two gateway communicate with each other using IPSec protocol. What's insides could be any type of communication.

AH only provides the integrate check, so there is no encryption in Payload.
So, I assume that you were referring to ESP protocol.

Here is the answer:

A new outer IP along with the ESP header, IV (if explicit), original packet + padding and ICV to form a new packet.
The original entire packet plus the padding field are encrypted and encapsulated, so no routers along the way are able to examine the inner IP header.

The packet is routing using the outer IP header which is not encrypted.

For example, host A want to send a IP packet to host B and require IPSec and both firewalls have IPSec capability, then A's firewall will examine and encapsulate the packet with an outer IP header with the destination address of B's firewall. The packet is then sending to B's firewall with intermediate routers only examining the outer IP header.
When it reaches B's firewall, the outer IP header, ESP header, padding, ICV are all stripped off, the inner packet is decrypted and send to B.

Lets say that Router A and Router B have got the tunnel set up. Router A Lan IP subnet is x.x.x.0/24 and the ip on the outside interface of router A is y.y.y.y which is the same interface where the crypto map is applied. On Router B lets say its Lan IP subnet is d.d.d.0/24 and the ip on the outside interface is g.g.g.g then esp will encrypt everything initiated by traffic sourced from x.x.x.0 subnet to d.d.d.0 subnet leaving the y.y.y.y interface with y.y.y.y and g.g.g.g. Therefore it will be able to make a routing decision.